A privacy impact assessment (PIA) helps to identify and address potential privacy risks that may occur in a project. A PIA is used for information systems, administrative practices and policy proposals that relate to the collection, use or disclosure of individually identifying personal or health information.
Requirements to Submit a PIA to the OIPC
Custodians are required to submit a PIA for review by the OIPC (section 64 of the Health Information Act).
Public bodies and private sector organizations are not required to submit a PIA for review by the OIPC. The OIPC encourages public bodies and organizations to voluntarily submit PIAs.
Guide for Completing a PIA
The Privacy Impact Assessment Requirements Guide assists in completing a PIA.
Review of PIAs
PIAs received by the OIPC undergo an initial assessment to determine whether the submission is complete and follows the requirements guide. Incomplete submissions are returned to the submitter. If the submission is complete, the PIA will be assigned to a manager for review. It takes up to 12 months for a PIA to be assigned to a manager for the review. (This timeline does not include Netcare PIAs submitted through the expedited review process.)
The OIPC will "accept", not approve, a PIA. Acceptance acknowledges that reasonable efforts to protect privacy have been made and relevant privacy considerations have been addressed by the custodian, public body or private sector organization.
Not all PIAs received by the OIPC result in "acceptance".
The following document lists all accepted PIAs since January 1, 2017:
- PIA Registry (Excel)
The following documents list certain accepted PIAs prior to 2017: